Thomas Breen / Maya McFadden file photos
NHPS Supt. Negrón (right) to fired I.T. boss (left): "You took no steps whatsoever to ensure BOE was protected from cyberattacks."
(Updated) The Board of Education’s I.T. network was “among the worst” a cybersecurity contractor had ever seen — and New Haven Public Schools’ (NHPS) top tech safety official misrepresented the work she had done to protect the district from future cyberattacks following a $6 million hack.
Those sharp rebukes are included in a three-page termination letter sent by NHPS Supt. Madeline Negrón to Gildemar Herrera. The letter offers the first publicly available insight into why the district fired its I.T. director, who also serves as a municipal union president.
That “Notice of Termination” letter is dated Aug. 30.
The Independent obtained a redacted copy of the letter earlier this week in response to a Connecticut Freedom of Information Act (FOIA) request for details on why the district fired Herrera, as first reported on Sept. 3.
The letter states that Herrera waived her rights on Aug. 29 to defend herself at a Loudermill hearing against district charges that she failed to perform the duties of and misrepresented her work as the public school district’s information technology (I.T.) director, a role she had held since July 2020.
It states that a district-hired cybersecurity contractor named Paul Ashe of the Florida-based firm Securance graded the Board of Education’s I.T. network as a “D”, and “believed the system was among the worst he had ever seen.”
“As Department Director, this assessment is an appalling indictment of your leadership or lack thereof,” Negrón wrote to Herrera. “Your oversight was particularly lacking with respect to the BOE firewall, which was at least a decade old and was no longer supported by Cisco. It appears that you took no steps whatsoever [underlining included in original letter] to ensure that the BOE was protected from cyberattacks or other security breaches.”
Herrera served as the district’s I.T. director up until February, when she and NHPS’ senior I.T. information specialist were placed on paid administrative leave for what the district’s spokesperson described at the time as “performance-related concerns.” Her termination came more than a year after a cyberattack saw hackers compromise the email of NHPS Chief Operating Officer Thomas Lamb (who remains on paid leave himself) and steal more than $6 million of city funds, most of which were meant to pay for New Haven school buses. (Mayor Justin Elicker has said the city has recovered or is scheduled to recover roughly $5.1 million of the stolen $6 million.)
Herrera — who is also the president of Local 3144, a municipal union that represents more than 400 city and public school district management and professional workers — told the Independent after her termination that she had been “wrongfully dismissed.” She declined to comment further for this article about the details included in her termination letter.
Update: On Friday afternoon, AFSCME Council 4 / Local 3144 staff representative Patrick Sampson told the Independent that Herrera will continue to serve out her term as president representing the union’s 400 city management employees. He declined to comment further on her termination.
Negrón’s Aug. 30 letter, meanwhile, details why the district decided to fire Herrera in the first place.
In addition to the accusation that Herrera had not adequately overseen the district’s I.T. network, Negrón charged her with misrepresenting her and her department’s “review and correction of the priority items pertaining to the BOE’s firewall.”
The superintendent stated that Securance, the cybersecurity firm, provided on Jan. 8, 2024 a list of seven different “level 5 — urgent” items in need of immediate attention. (The details of that “urgent” to do list were redacted from the letter obtained by the Independent.)
On Jan. 19, the superintendent continued, Herrera “represented that the most critical items in the Securance report — collectively referred to as ‘the fives’ — had been successfully addressed by your office.” But, on Jan. 25, Securance conducted another analysis of the firewall “which showed virtually no improvement.” (A representative from Securance did not respond to a request for comment for this article.)
Herrera reportedly told an investigator from the city-hired firm New Light Investigations “that you never represented to anyone in any meeting that ‘the fives’ had been taken care of, but later backtracked that statement when presented with compelling evidence to the contrary.”
Next, Negrón wrote, it appears Herrera “took no steps to address the security of the BOE systems, even after the breach of Tom Lamb’s email in 2023. Although you claim to have prepared a quote for a dual data center with a new firewall two years ago, there is no evidence of any follow up or urgency on your part. You likewise noted to the investigator that the network infrastructure needed work, but again there is no evidence that you took any measurable steps to address the issue.”
The superintendent’s letter continues with two more enumerated accusations against Herrera — that she allegedly misrepresented her work experience when applying for the district’s top I.T. role, and that she outsourced management of the district’s firewall to a firm called Total Communications “but failed to adequately oversee and manage the process.”
“Moreover, the absence of a proper management framework, such as regular performance reviews on the vendor, security audits, and clear communication channels with Total Communications, meant that issues were neither identified nor addressed in a timely manner,” Negrón wrote. “This not only jeopardized the integrity of NHPS IT infrastructure but also undermined the trust that the Board of Education placed in your leadership.”
And so, the superintendent concluded, Herrera’s termination “is effective immediately.”
When asked if the district has also fired the I.T. information specialist, who was placed on paid leave in February at the same time as Herrera, NHPS spokesperson Justin Harmon told the Independent that “the matter related to our IT specialist is still pending.”
He also said that the district is receiving support from the city’s I.T. department in the absence of NHPS having its own I.T. director.
Dereen Shirnekhi contributed to this report.